Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Friday, April 22, 2011

How can US law enforcement agencies access location data stored by Google and Apple?

Note: I am not a lawyer. US privacy law is exceedingly complex. If I am wrong, I hope that someone who knows this better will chime in.

Over the past day, the iPhone location scandal has expanded beyond location data retained on the phone to data sent by iPhones and Android devices back to Apple and Google. This raises some really interesting issues, particularly regarding the degree to which these companies can be compelled to disclose that data to law enforcement agencies. In this blog post, I am going to try and examine the limited legal protections afforded to this data.

Introduction

Today, the Wall Street Journal reported that Apple's iPhones and iPads and Google's Android mobile phones all collect and transmit back to the companies data about a device's nearby WiFi access points, geo-location data, and in Google's case, a unique identifier.

According to the Journal, Android phones collect the data every few seconds and transmit it to the company at least several times an hour. Apple, meanwhile, "intermittently" collects data and transmits that data to itself every 12 hours.

The motivation for this data collection appears to be in order to create a large database of WiFi access points and their associated location, which can then be used by mobile devices to determine the user's approximate location information (doing so via WiFi uses far less battery power than using the GPS chip).

While such collection is likely entirely commercial in nature, this also raises serious privacy concerns regarding the ease with which law enforcement agencies can access this sensitive data.

A quick primer in location privacy law

The primary law in the US that governs the privacy of information kept by Internet and communications companies is the Electronic Communications Privacy Act (ECPA). This law dates back to 1986, long before cloud computing, email inboxes larger than 5 megabytes, or GPS enabled smartphones. To be quite blunt, the law is hopelessly out of date, and it is for this reason that the House and Senate held multiple hearings over the last two years focused on ECPA reform.

For user data to be protected by ECPA, it needs to fall into one of two categories:

An "electronic communication service" ("ECS") is "any service which provides to users thereof the ability to send or receive wire or electronic communications." Examples of this include telephone email services.

A "remote computing service" ("RCS") is a "provision to the public of computer storage or processing services by means of an electronic communications system." Roughly speaking, a remote computing service is provided by an off-site computer that stores or processes data for a user. Examples of this likely include data stored in the cloud, such as online backup services.

ECPA provides varying degrees of protections for communications content and non-content data stored by an ECS or RCS (without going too far into the details, communications content generally required a warrant, and most non-content data can be obtained with a lesser court order). However, if the service is neither an ECS, nor an RCS, law enforcement agencies can obtain the information with a mere subpoena, without getting a judge to sign off on the order.

Location data under ECPA

Law enforcement agencies routinely obtain location data from wireless telephone companies. Depending on the kind of data sought (historical or real time, fine-grained or approximate tower data), the kind of court order varies between a probable cause warrant, or an order based upon facts showing that the information will be relevant and material to an ongoing investigation.

It is important to note that the wireless carriers are providing their customers with a communications service, and that the location data is usually generated in the process of the users' phone transmitting voice or other data to a tower. While most consumers probably do not realize that the phone companies know where they are whenever they make a call or check their email, consumers are at least knowingly making a call or checking their email. As such, the location data obtained by the government quite clearly falls into the ECS category under ECPA.

Internet companies, location data and ECPA

In 2009, Google launched Latitude, its mobile location check-in competitor to Loopt and Foursquare. Shortly after the launch, the EFF reported that both Loopt and Google had pledged to require that user location data would only be delivered to law enforcement agencies in response to a warrant.

When it comes to friend-finding services, we think it’s clear that your location information is the content of a private communication between you and your friends, and that it deserves the same legal protections against wiretapping as the content of your phone calls or your emails.

Because the text of ECPA doesn't actually include the word "location", Loopt and Google tried to get the best protections they could for users' check-in data by arguing that it is in fact a communication transmitted through their service to users' friends. That is, these firms argued that check-in location data is is an ECS.

(Note to legal experts: I am simplifying this a little bit, since these companies actually insisted on a wiretap order. The companies don't keep any historical location data by default, other than the most recent data-point, so they insisted on an intercept order before they would start retaining future location data).

iPhone/Android location data: ECS, RCS or neither?

Now, with this in mind, lets consider the location data transmitted covertly by iPhones and Android devices. Given that the existence of this information collection and transmission wasn't widely disclosed to users (other than in privacy policies that no one reads), that it didn't hit the press until this week, and that users are not knowingly transmitting the information to their friends or anyone else, I think it is going to be pretty tough for these two firms to be able to claim that this location data falls into the ECS protections of ECPA. This location data is simply not a communication by the user.

Similarly, I don't think that these companies can reasonably claim that this location data falls into the category of an RCS, since it isn't a storage or processing service provided to the user. Quite simply, the companies are collecting this data for their own benefit, not the user's, who probably has no idea that it is being collected and transmitted to a server somewhere.

What this means, I think, is that this location data likely does not fall under the protections of ECPA, which means that law enforcement agencies can likely obtain it with just a subpoena.

Now, it is quite possible that if and when these firms receive a request for this data, they could refuse to comply with the subpoena, and argue that it should be subject to the protections of the 4th Amendment. Certainly, some judges around the country have decided that mobile phone location data is sensitive enough to require a probable cause warrant issued by a judge. However, many other judges do not agree with that theory. Without the protections of ECPA, if the courts do not think this data deserves 4th amendment protections, there is nothing to stop law enforcement agencies from getting it with a subpoena.

Conclusion

What should be clear after reading this post is that privacy law in this country is hopelessly out of date. The collection of location information by Apple and Google raises some really troubling questions regarding the degree to which existing law restricts law enforcement access to the data when it is not associated with a communication by the user, but rather, is collected without their knowledge or consent.

As I noted at the beginning of this post, I am not a legal expert (but a computer scientist by training). There are several fantastic privacy law experts out there, and I really hope that they look into this issue, and write their own, far more extensive analysis.

5 comments:

It is not Truethat Android data collection is not disclosed. Android users are asked as part of the setup wizard if they want to allow anonymous data collection or not, they can opt-out if they want. Iphone on the other hand was/is doing this without the user ever noticing itor getting the chance to make their choice.

Since I remember, when I start an app that use my location (in my iPod touch, [same for the iPhone]) some message jump to the screen, asking me for permission. AND there IS a location menu (Settings > General > Location) where you CAN deactivate the location features completely or CHOOSE the apps you want to have access to your location data.

I had this discussion a couple years ago in "what if...?" mode with a U.S. attorney's office investigator, as we watched our daughters play at a birthday party. He admitted the potential dangers, but was a realist on the practical parts -- lawyers would have lots of business, headlines would be made, etc. All he asked was enough cooperation for law enforcement to prevent major destructive events.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.